Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumonde Infection Detected


  • This topic is locked This topic is locked
2 replies to this topic

#1 strangelove

strangelove

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:04:37 PM

Posted 23 June 2008 - 11:58 AM

Nod32 has blocked about "3000" attacks from this virus so far, so it claims. I have run vundofix but it didn't do anything. I have ran spybot/adaware/nod32, nothing seems to be removing it but nod32 is telling me that it is blocking attacks but it keeps attacking even after restarts. Symptoms include not being able to navigate to any website that uses Java. I also got insane popups in IE7, (i use firefox 3) but those have stopped coming. Please help me get rid of this thing completely so I feel safe using my PC again.


So it is known the infected dll in question is named ssqPgHYp.dll




COMBO FIX LOG

ComboFix 08-06-20.4 - Adrian Medina 2008-06-23 12:26:06.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1499 [GMT -4:00]
Running from: C:\Documents and Settings\Adrian Medina\Desktop\ComboFix.exe
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\WINDOWS\BM1fbce131.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\pmtaqoqp.ini
C:\WINDOWS\system32\pskill.exe
C:\WINDOWS\system32\sCcKlUtv.ini
C:\WINDOWS\system32\sCcKlUtv.ini2
C:\WINDOWS\system32\tuiwacur.ini
C:\WINDOWS\system32\vtUlKcCs.dll
C:\WINDOWS\system32\XIhNmUtv.ini2

.
((((((((((((((((((((((((( Files Created from 2008-05-23 to 2008-06-23 )))))))))))))))))))))))))))))))
.

2008-06-22 15:09 . 2008-06-22 15:09 90,624 --a------ C:\WINDOWS\system32\nlpompae.dll
2008-06-22 15:09 . 2008-06-22 15:09 80,384 --a------ C:\WINDOWS\system32\rucawiut.dll
2008-06-22 10:28 . 2008-06-22 10:28 <DIR> d-------- C:\Program Files\CCleaner
2008-06-21 18:21 . 2008-06-21 18:21 <DIR> d-------- C:\Program Files\ESET
2008-06-21 18:13 . 2008-06-21 22:02 <DIR> d-------- C:\Program Files\Steam 2
2008-06-21 13:53 . 2008-06-21 13:53 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-21 12:41 . 2008-06-21 12:41 81,408 --a------ C:\WINDOWS\system32\pqoqatmp.dll
2008-06-21 12:38 . 2008-06-21 12:38 99,328 --a------ C:\WINDOWS\system32\cdvkdmlq.dll
2008-06-21 12:36 . 2008-06-21 12:36 90,112 --a------ C:\WINDOWS\system32\tpbnbuuf.dl
2008-06-21 09:11 . 2008-06-21 09:11 <DIR> d-------- C:\Program Files\Lavasoft
2008-06-21 09:11 . 2008-06-21 12:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-21 08:56 . 2008-06-21 12:30 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-06-21 08:56 . 2008-06-21 12:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-20 12:10 . 2008-06-20 12:10 5,882 --a------ C:\WINDOWS\system32\ealregsnapshot1.reg
2008-06-20 12:08 . 2008-06-20 12:08 24,576 --a------ C:\WINDOWS\system32\ssqPgHYp.dll
2008-06-18 19:37 . 2008-06-18 19:37 <DIR> d-------- C:\Program Files\Netflix
2008-06-18 13:59 . 2008-06-18 13:59 754 --a------ C:\WINDOWS\WORDPAD.INI
2008-06-18 12:12 . 2008-06-18 12:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ESET
2008-06-15 00:57 . 2008-06-20 13:54 <DIR> d-------- C:\Documents and Settings\Adrian Medina\Application Data\SPORE Creature Creator
2008-06-11 19:58 . 2008-06-13 07:05 272,128 --a------ C:\WINDOWS\system32\drivers\bthport.sys
2008-06-11 19:58 . 2008-06-13 07:05 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-04 14:12 . 2008-06-04 14:12 <DIR> d-------- C:\Program Files\Common Files\BioWare
2008-06-04 13:54 . 2008-06-04 14:13 <DIR> d-------- C:\Program Files\Mass Effect
2008-06-01 15:32 . 2008-06-20 22:11 244 --ah----- C:\sqmnoopt19.sqm
2008-06-01 15:32 . 2008-06-20 22:11 232 --ah----- C:\sqmdata19.sqm
2008-06-01 13:22 . 2008-06-20 17:55 244 --ah----- C:\sqmnoopt18.sqm
2008-06-01 13:22 . 2008-06-20 17:55 232 --ah----- C:\sqmdata18.sqm
2008-06-01 13:17 . 2008-06-20 17:22 244 --ah----- C:\sqmnoopt17.sqm
2008-06-01 13:17 . 2008-06-20 17:22 232 --ah----- C:\sqmdata17.sqm
2008-06-01 10:15 . 2008-06-20 14:59 244 --ah----- C:\sqmnoopt16.sqm
2008-06-01 10:15 . 2008-06-20 14:46 244 --ah----- C:\sqmnoopt15.sqm
2008-06-01 10:15 . 2008-06-20 14:59 232 --ah----- C:\sqmdata16.sqm
2008-06-01 10:15 . 2008-06-20 14:46 232 --ah----- C:\sqmdata15.sqm
2008-05-31 23:28 . 2008-06-20 14:18 244 --ah----- C:\sqmnoopt14.sqm
2008-05-31 23:28 . 2008-06-20 14:18 232 --ah----- C:\sqmdata14.sqm
2008-05-31 13:08 . 2008-06-20 14:16 244 --ah----- C:\sqmnoopt13.sqm
2008-05-31 13:08 . 2008-06-20 14:16 232 --ah----- C:\sqmdata13.sqm
2008-05-31 10:04 . 2008-06-20 14:15 244 --ah----- C:\sqmnoopt12.sqm
2008-05-31 10:04 . 2008-06-20 14:15 232 --ah----- C:\sqmdata12.sqm
2008-05-31 09:14 . 2008-06-23 12:22 268 --ah----- C:\sqmdata11.sqm
2008-05-31 09:14 . 2008-06-23 12:22 244 --ah----- C:\sqmnoopt11.sqm
2008-05-30 21:43 . 2008-06-22 14:51 244 --ah----- C:\sqmnoopt10.sqm
2008-05-30 21:43 . 2008-06-22 14:51 232 --ah----- C:\sqmdata10.sqm
2008-05-30 20:00 . 2008-06-22 14:38 244 --ah----- C:\sqmnoopt09.sqm
2008-05-30 20:00 . 2008-06-22 14:38 232 --ah----- C:\sqmdata09.sqm
2008-05-30 16:11 . 2008-06-22 12:35 244 --ah----- C:\sqmnoopt08.sqm
2008-05-30 16:11 . 2008-06-22 12:35 232 --ah----- C:\sqmdata08.sqm
2008-05-30 14:25 . 2008-06-22 11:55 244 --ah----- C:\sqmnoopt07.sqm
2008-05-30 14:25 . 2008-06-22 11:55 232 --ah----- C:\sqmdata07.sqm
2008-05-30 14:10 . 2008-06-22 11:54 268 --ah----- C:\sqmdata06.sqm
2008-05-30 14:10 . 2008-06-22 11:54 244 --ah----- C:\sqmnoopt06.sqm
2008-05-30 13:53 . 2008-05-30 13:53 <DIR> d-------- C:\WINDOWS\mplayer
2008-05-30 13:53 . 2008-05-30 14:00 <DIR> d-------- C:\Program Files\MPlayer
2008-05-30 12:59 . 2008-06-21 13:36 268 --ah----- C:\sqmdata05.sqm
2008-05-30 12:59 . 2008-06-21 13:36 244 --ah----- C:\sqmnoopt05.sqm
2008-05-30 11:17 . 2008-06-21 12:34 268 --ah----- C:\sqmdata04.sqm
2008-05-30 11:17 . 2008-06-21 12:34 244 --ah----- C:\sqmnoopt04.sqm
2008-05-29 22:58 . 2008-06-21 12:28 268 --ah----- C:\sqmdata03.sqm
2008-05-29 22:58 . 2008-06-21 12:28 244 --ah----- C:\sqmnoopt03.sqm
2008-05-29 22:30 . 2008-06-21 12:24 268 --ah----- C:\sqmdata02.sqm
2008-05-29 22:30 . 2008-06-21 12:24 244 --ah----- C:\sqmnoopt02.sqm
2008-05-26 14:34 . 2008-05-26 14:34 <DIR> d-------- C:\Program Files\Microsoft Synchronization Services
2008-05-26 14:34 . 2008-05-26 14:34 <DIR> d-------- C:\Program Files\Microsoft SQL Server Compact Edition
2008-05-26 14:31 . 2008-05-26 14:31 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-05-26 14:31 . 2008-05-26 14:34 <DIR> d-------- C:\Program Files\Microsoft Visual Studio 9.0
2008-05-26 14:31 . 2008-05-26 14:31 <DIR> d-------- C:\Program Files\Microsoft SDKs
2008-05-26 14:27 . 2008-05-26 14:27 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-05-25 13:15 . 2008-05-25 21:48 <DIR> d-------- C:\Program Files\Hamachi
2008-05-25 13:15 . 2008-05-30 13:55 <DIR> d-------- C:\Documents and Settings\Adrian Medina\Application Data\Hamachi
2008-05-25 13:15 . 2008-05-25 13:15 25,280 --a------ C:\WINDOWS\system32\drivers\hamachi.sys
2008-05-24 20:12 . 2008-06-21 12:20 <DIR> d-------- C:\Program Files\MySpace
2008-05-24 20:12 . 2008-05-24 20:12 <DIR> d-------- C:\Documents and Settings\Adrian Medina\Application Data\MySpace
2008-05-23 20:51 . 2008-05-23 20:51 <DIR> d-------- C:\Documents and Settings\Adrian Medina\Application Data\Lost Marble
2008-05-23 20:49 . 2008-05-23 20:49 <DIR> d-------- C:\Program Files\Smith Micro
2008-05-23 15:53 . 2008-05-25 20:19 <DIR> d-------- C:\Program Files\YVD

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-23 16:07 --------- d-----w C:\Documents and Settings\Adrian Medina\Application Data\uTorrent
2008-06-23 16:01 --------- d-----w C:\Documents and Settings\Adrian Medina\Application Data\Skype
2008-06-23 12:08 --------- d-----w C:\Documents and Settings\Adrian Medina\Application Data\skypePM
2008-06-22 16:08 --------- d-----w C:\Program Files\PeerGuardian2
2008-06-21 21:06 --------- d-----w C:\Documents and Settings\Adrian Medina\Application Data\DVD Flick
2008-06-21 16:58 --------- d-----w C:\Program Files\Mozilla Firefox 3 Beta 3
2008-06-21 16:31 --------- d-----w C:\Program Files\SystemRequirementsLab
2008-06-21 16:30 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-21 13:09 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-06-20 16:59 --------- d-----w C:\Documents and Settings\Adrian Medina\Application Data\SystemRequirementsLab
2008-06-19 21:52 --------- d-----w C:\Documents and Settings\Adrian Medina\Application Data\GrabIt
2008-06-19 17:34 --------- d-----w C:\Program Files\Gothic III
2008-06-15 04:57 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-06-15 04:56 --------- d-----w C:\Program Files\Electronic Arts
2008-06-10 07:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-06-02 18:57 --------- d-----w C:\Documents and Settings\Adrian Medina\Application Data\dvdcss
2008-05-22 22:13 --------- d-----w C:\Documents and Settings\Adrian Medina\Application Data\VMware
2008-05-19 22:33 --------- d-----w C:\Program Files\PowerQuest
2008-05-17 21:00 --------- d-----w C:\Program Files\World of Warcraft
2008-05-17 18:41 --------- d-----w C:\Program Files\Common Files\Blizzard Entertainment
2008-05-17 12:40 --------- d-----w C:\Program Files\Lionhead Studios
2008-05-15 23:37 --------- d-----w C:\Program Files\Home Audiometer
2008-05-14 23:02 --------- d-----w C:\Documents and Settings\Adrian Medina\Application Data\AdobeUM
2008-05-14 23:02 --------- d-----w C:\Documents and Settings\Adrian Medina\Application Data\AdobeAUM
2008-05-14 22:48 --------- d-----w C:\Program Files\Common Files\Adobe
2008-05-13 22:57 --------- d-----w C:\Program Files\uTorrent
2008-05-10 17:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Age of Empires 3
2008-05-10 16:59 --------- d-----w C:\Program Files\Microsoft Games
2008-05-10 13:58 --------- d-----w C:\Program Files\GrabIt
2008-05-08 14:02 203,136 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 05:12 1,288,192 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-04 18:59 --------- d-----w C:\Program Files\LucasArts
2008-05-01 21:45 --------- d-----w C:\Program Files\The Rosetta Stone
2008-05-01 19:35 --------- d-----w C:\Program Files\support.com
2008-05-01 19:34 --------- d-----w C:\Program Files\Common Files\SupportSoft
2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-04-12 17:04 6,067 ----a-w C:\Program Files\install.log
2008-04-07 15:11 208,361 ----a-w C:\WINDOWS\fix.exe
2008-03-18 22:24 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
.

((((((((((((((((((((((((((((( snapshot@2008-06-23_12.19.06.84 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-04-14 12:30:49 272,128 -c----w C:\WINDOWS\$NtUninstallKB951376-v2$\bthport.sys
+ 2007-11-30 11:18:51 231,288 -c----w C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe
+ 2007-11-30 11:18:51 382,840 -c----w C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\updspapi.dll
- 2008-06-23 16:08:39 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-23 16:21:25 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-04-14 12:30:49 272,128 ------w C:\WINDOWS\Driver Cache\i386\bthport.sys
+ 2008-06-13 11:05:51 272,128 ------w C:\WINDOWS\Driver Cache\i386\bthport.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F86B11F3-0CE1-475F-9541-5329BF7B3597}]
2008-06-20 12:08 24576 --a------ C:\WINDOWS\system32\ssqPgHYp.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Pro Agent"="C:\Program Files\DAEMON Tools Pro\DTProAgent.exe" [2007-09-06 09:08 136136]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 12:34 5724184]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-01-26 01:57 15360]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2008-01-03 12:15 50528]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 16:28 577536 C:\WINDOWS\soundman.exe]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-09 19:53 153136]
"egui"="C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-03-13 16:48 1443072]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 02:41 8523776]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{F86B11F3-0CE1-475F-9541-5329BF7B3597}"= C:\WINDOWS\system32\ssqPgHYp.dll [2008-06-20 12:08 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqPgHYp]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3fhg"= mp3fhg.acm
"msacm.divxa32"= divxa32.acm
"VIDC.X264"= x264vfw.dll
"VIDC.HFYU"= huffyuv.dll
"vidc.i263"= i263_32.drv
"VIDC.YV12"= yv12vfw.dll
"msacm.ac3filter"= ac3filter.acm

[HKLM\~\startupfolder\C:^Documents and Settings^Adrian Medina^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=C:\Documents and Settings\Adrian Medina\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=C:\WINDOWS\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=C:\WINDOWS\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Synchronizer.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Synchronizer.lnk
backup=C:\WINDOWS\pss\Adobe Acrobat Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 23:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
--a------ 2008-01-03 12:15 50528 C:\Program Files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a------ 2006-10-27 01:47 31016 C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2008-01-26 07:57 1695232 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-10-18 12:34 5724184 C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2007-12-05 02:41 8523776 C:\WINDOWS\system32\NvCpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ooVoo.exe]
C:\Program Files\ooVoo\ooVoo.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PeerGuardian]
--a------ 2005-09-18 19:40 1421824 C:\Program Files\PeerGuardian2\pg2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
-ra------ 2008-02-01 18:22 21898024 C:\Program Files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2008-06-21 22:02 1271032 C:\Program Files\Steam 2\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 02:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WLSetupSvc"=3 (0x3)
"usnjsvc"=3 (0x3)
"Microsoft Office Groove Audit Service"=3 (0x3)
"idsvc"=3 (0x3)
"IDriverT"=3 (0x3)
"FLEXnet Licensing Service"=3 (0x3)
"Bonjour Service"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\EA Games\\Ultima Online Mondain's Legacy\\client.exe"=
"C:\\Program Files\\CCP\\EVE\\bin\\ExeFile.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Microsoft Games\\Age of Empires III\\age3x.exe"=
"C:\\Program Files\\Microsoft Games\\Age of Empires III\\age3y.exe"=
"C:\\Program Files\\Mass Effect\\Binaries\\MassEffect.exe"=
"C:\\Program Files\\Mass Effect\\MassEffectLauncher.exe"=
"C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"443:TCP"= 443:TCP:ooVoo TCP port 443
"443:UDP"= 443:UDP:ooVoo UDP port 443
"37674:TCP"= 37674:TCP:ooVoo TCP port 37674
"37674:UDP"= 37674:UDP:ooVoo UDP port 37674
"37675:UDP"= 37675:UDP:ooVoo UDP port 37675

R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2008-03-13 16:52]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 17:38]
R3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\AN983.sys [2008-01-25 17:21]

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-23 12:33:33
Windows 5.1.2600 Service Pack 3, v.3300 NTFS

scanning hidden processes ...

C:\WINDOWS\explorer.exe [1908] 0x89B20C70

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\ssqPgHYp.dll
.
Completion time: 2008-06-23 12:37:15
ComboFix-quarantined-files.txt 2008-06-23 16:36:08

Pre-Run: 23,536,279,552 bytes free
Post-Run: 23,535,849,472 bytes free

278 --- E O F --- 2008-06-23 16:15:04


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:56:49 PM, on 6/23/2008
Platform: Windows XP SP3, v.3300 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\DAEMON Tools Pro\DTProAgent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Adrian Medina\Desktop\VundoFix.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: (no name) - {F86B11F3-0CE1-475F-9541-5329BF7B3597} - C:\WINDOWS\system32\ssqPgHYp.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "C:\Program Files\DAEMON Tools Pro\DTProAgent.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll (file missing)
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: ssqPgHYp - C:\WINDOWS\
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 5391 bytes

Edited by strangelove, 23 June 2008 - 12:00 PM.


BC AdBot (Login to Remove)

 


m

#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:03:37 PM

Posted 01 July 2008 - 04:26 PM

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. :thumbsup:
I would like to point out the forum guidelines posted at the top of this page, specifically number 2.

DO NOT post a ComboFix log unless requested to.

Combofix is a powerful program and should not be used unless under the direction of someone experienced in its use.


Please download Deckard's System Scanner (DSS) and save to your Desktop.
alternate download site

DSS will do the following:
  • Create a new System Restore point in Windows XP and Vista.
  • Clean your Temporary Files, Downloaded Program Files, Internet Cache Files, and empty the Recycle Bin on all drives.
  • Check some important areas of your system and produce a report for an analyst to review.
  • Automatically run HijackThis. It will also install and place a shortcut to HijackThis on your desktop if you do not already have it installed. So if HijackThis is not installed and DSS prompts you to download it, please answer yes.
You must be logged onto an account with administrator privileges when using.
  • Close all applications and windows.
  • Double-click on dss.exe to run it and follow the prompts.
  • If your anti-virus or firewall complains, please allow this script to run as it is not
    malicious.
  • When the scan is complete, two text files will open in Notepad:
    • main.txt <- this one will be maximized
    • extra.txt <- this one will be minimized
  • If not, they both can be found in the C:\Deckard\System Scanner folder.
  • Please copy (Ctrl+C) and paste (Ctrl+V) the contents of main.txt and extra.txt in your next reply.
-- When running DSS, some firewalls may warn that it is trying to access the Internet especially if your asked to download the most current version of HijackThis. Please ensure that you allow it permission to do so.
-- If you get a warning from your anti-virus while DSS is scanning, please allow DSS to continue as the scan is not harmful.




==============



Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:03:37 PM

Posted 21 July 2008 - 08:02 AM

As there has been no response, this thread will now be closed.

If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you.
Include the address of this thread in your request.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users